Certification path validation algorithm: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 13:02, 8 July 2020 edit 166.182.82.252 (talk) I have no actions taken at github. Anything related to this phone or my home pc Mac are brute force 3rd party attacks. Please remove and takedown to stop illegal hacking/please DO NOT TRACK or allow any further 3rd party actions of any personal or intellectual properties Tags: wikilinks removed Visual edit Mobile edit Mobile web edit ← Previous edit		Latest revision as of 09:26, 14 July 2023 edit undo Polyphemus Goode (talk \| contribs) Extended confirmed users 1,099 edits link revocation status
(8 intermediate revisions by 7 users not shown)
Line 1: {{Short description\|Test for a valid public key certificate}} The '''certification path validation algorithm''' is the [[algorithm]] which verifies that a given '''certificate path''' is valid under a given [[public key infrastructure]] (PKI). A path starts with the Subject certificate and proceeds through a number of intermediate certificates up to a trusted [[root certificate]], typically issued by a trusted [[certificate authority]] (CA). Line 13 ⟶ 14: * The public key algorithm and parameters are checked; * The current date/time is checked against the validity period of the certificate; * The [[revocation status]] is checked, whether by [[Certificate revocation list\|CRL]], [[Online Certificate Status Protocol\|OCSP]], or some other mechanism, to ensure the certificate is not revoked; * The issuer name is checked to ensure that it equals the subject name of the previous certificate in the path; * Name constraints are checked, to make sure the subject name is within the permitted subtrees list of all previous CA certificates and not within the excluded subtrees list of any previous CA certificate; * The asserted [[certificate policy]] [[object identifier\|OIDs]] are checked against the permissible OIDs as of the previous certificate, including any policy mapping equivalencies asserted by the previous certificate; * Policy constraints and basic constraints are checked, to ensure that any explicit policy requirements are not violated and that the certificate is a CA certificate, respectively. This step is crucial in preventing some [[man in the middle attack]]s;<ref>[[Moxie Marlinspike]], [https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf New Tricks For Defeating SSL In Practice], [[Black Hat Briefings\|Black Hat]] DC Briefings 2009 conference.</ref> * The path length is checked to ensure that it does not exceed any maximum path length asserted in this or a previous certificate; * The key usage extension is checked to ensure that is allowed to sign certificates; and